A major issue facing small business owners who are considering Square Credit Card Processing instead of a merchant account is the issue of security. Square’s security details are available here https://squareup.com/security – and it looks as though they do enough to keep most merchants out of trouble. However there are some items that need to be addressed specifically with things like PCI and liability. Square sells some of its service by saying there are no PCI fees, with the reason being that the solution is already secure so there are no costs associated with being PCI compliant. Unfortunately this does not deal with PCI as application security is only one part of PCI compliance.
There are currently 4 levels that merchants are bucketed into, and regardless as to whether you process a million or just 1 transaction a year, you fall into one of these buckets and must therefore prove PCI compliance at some point. Yes – you must prove PCI compliance, not just that the application you use is compliant you must prove that you are compliant. Assuming that the vast majority of individuals using the Square are smaller merchants they will fall into the 4th tier, which according to Visa’s website requires an annual Self-Assessment Questionnaire (recommended), quarterly network scan by ASV (if applicable), and compliance validation requirements as set by the acquirer. There are very few if any merchant service providers who do not offer PCI compliant software, the fees that are typically accessed to merchants are because the payment brands are allowed to fine an acquiring bank from $5,000 to $100,000 per month for PCI violations – these fines are then filtered out to the merchant level. The better merchant account providers will provide help in helping merchants to fulfill these requirements and avoid these fees in the future.
From the PCICompliance.org website:
“All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.
Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.”
At this point in time Square seems to me to have either ignored or misunderstood the PCI compliance guidelines as they are currently set forth (this is based on the information presented above). The other possibility is that somehow they have avoided requiring their users to be PCI compliant in which case I am sure other merchant account providers will be very interested in learning how they were able to remove these requirements. My feelings are that at some point PCI will be an issue for Square, as Visa and Mastercard have made it clear that they want all individuals accepting credit cards to be compliant and hand over significant fees to make sure they are. If they step in and address this issue with Square there could be significant costs associated with these accounts in the future.
Website Disclosure: In an effort to ensure that we can continue to develop and deliver this website free of charge to our visitors, this website engages in affiliate relationships with some of the processors listed, and also offers advertising on the site. To learn more about this please visit our disclosure page.